[Emerging-Sigs] FP:: netbackup

David Glosser david.glosser at gmail.com
Fri Jan 16 15:53:45 EST 2009


great! just added to it....


On Fri, Jan 16, 2009 at 4:12 PM, Matt Jonkman <jonkman at jonkmans.com> wrote:

> We have the wiki for this purpose. FPs, TPs, issues, etc.
>
> http://doc.emergingthreats.net
>
> or
>
> http://doc.emergingthreats.net/2003055
>
> Everything available is there. :)
>
> Matt
>
> Joel Esler wrote:
> > That's something worth discussing...
> >
> > J
> >
> > On Jan 16, 2009, at 3:06 PM, David Glosser allegedly wrote:
> >
> >> Something liek this for ET rules would be interesting...
> >>
> >> On Fri, Jan 16, 2009 at 2:39 PM, Joel Esler <eslerj at gmail.com
> >> <mailto:eslerj at gmail.com>> wrote:
> >>
> >>     When VRT rules are written and reported on, there is a document
> >>     included with every single signature in the database.  In this
> >>     documentation file, there is a field called false positives.
> >>
> >>     All of this documentation is available on the Snort.org website
> >>     easily by searching for rule number on the left hand side of the
> page.
> >>
> >>     J
> >>
> >>     On Jan 16, 2009, at 11:47 AM, David Glosser allegedly wrote:
> >>
> >>>     yeah, you are right. Is there a list or database of known "false
> >>>     positives" (this time in quotes) or known applications which trip
> >>>     on certain rules?
> >>>
> >>>
> >>>     On Fri, Jan 16, 2009 at 11:26 AM, Joel Esler <eslerj at gmail.com
> >>>     <mailto:eslerj at gmail.com>> wrote:
> >>>
> >>>
> >>>         On Jan 16, 2009, at 7:22 AM, David Glosser allegedly wrote:
> >>>
> >>>>         Net Backup False Positive:
> >>>>
> >>>>         1/15-20:41:50.368405  [**] [1:2003055:4] ET MALWARE
> >>>>         Suspicious 220 Banner on Local Port [**] [Classification:
> >>>>         Detection of a non-standard protocol or event] [Priority: 2]
> >>>>         {TCP} 172.20.xx.xx:13724 -> 192.168.xx.xx:2453
> >>>>
> >>>>         Yeah, I have to talk to the backup guy and figure out why
> >>>>         he's not using the backup network :)
> >>>
> >>>         So, it's not a false positive.  The alert triggered on what
> >>>         you wanted it to trigger on, and even more it helped you find
> >>>         a system that is operating incorrectly.
> >>>
> >>>         I guess I don't see how it's a false positive.  My point is,
> >>>         and not picking on you David,  but people say False positive
> >>>         a lot in this industry and I think they are just using the
> >>>         wrong terminology.
> >>>
> >>>         Pedantic I know.
> >>>
> >>>         J
> >>>
> >>>
> >>>
> >>>         --
> >>>         Joel Esler
> >>>           http://www.joelesler.net
> >>>           http://www.twitter.com/joelesler
> >>>         [m]
> >>>
> >>>
> >>
> >>
> >>     --
> >>     Joel Esler
> >>       http://www.joelesler.net
> >>       http://www.twitter.com/joelesler
> >>     [m]
> >>
> >>
> >
> >
> > --
> > Joel Esler
> >   http://www.joelesler.net
> >   http://www.twitter.com/joelesler
> > [m]
> >
> >
> > ------------------------------------------------------------------------
> >
> > _______________________________________________
> > Emerging-sigs mailing list
> > Emerging-sigs at emergingthreats.net
> > http://lists.emergingthreats.net/mailman/listinfo/emerging-sigs
>
> --
> --------------------------------------------
> Matthew Jonkman
> Emerging Threats
> Phone 765-429-0398
> Fax 312-264-0205
> http://www.emergingthreats.net
> --------------------------------------------
>
> PGP: http://www.jonkmans.com/mattjonkman.asc
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.emergingthreats.net/pipermail/emerging-sigs/attachments/20090116/e54a73f6/attachment.html


More information about the Emerging-sigs mailing list